Make DirectAccess Work on Win 10 LTSB

Note: This post is a targeted to a certain Enterprise Audience and therefore will be very straightforward with less pleasantries and/or screenshots.

The Problem

If you’re like me, and after testing the various Windows 10 editions, landed on the LTSB as your favorite, you may be having some issues if you use DirectAccess.

I’ve been holding out on upgrading my primary work laptop to Windows 10 since there is still a lingering issue with domain account lockouts that Microsoft needs to fix. Despite this bug, I did find a Band-Aid that seems to be working, so I decided to bite the bullet and make the jump. After migrating to Windows 10 (LTSB), however, I quickly noticed a big issue: DirectAccess was not available after joining the PC to the domain.

If you’re familiar with DA, by default, after joining a device that meets the “laptop” qualifications to the domain, Windows downloads and processes the GPO which enables and configures DirectAccess for off-site tunneling into your companies (or maybe home) network.

Since this obviously wasn’t happening, I ran a gpresult /r to see what was up. I quickly found the issue:

But why am I getting denied? This was working fine on Windows 8.1 Enterprise. What did Microsoft change?

During my initial Windows 10 trials, I, like many others, quickly ran into a similar situation. Testing a Surface Pro 3 which I primarily use while remote (with DA), I couldn’t get the GPO to apply. During my trials, however, I discovered that simply modifying this WMI filter and adding the line OR Version like '10.%' fixed the problem. A simple gupduate /force and my Surface applied the policy without issue. Great! No more Windows 10 issues, right? Technically this was true, but only for the Enterprise SKU.

The answer soon became obvious: I’m using a new Operating System SKU.

So I ran wbemtest on my fresh LTSB install to figure out what changed and came upon this:

OperatingSystemSKU: 125 ? Never seen that before. Time for another WMI Filter update.

The Answer

Open up Group Policy Management

Buried beneath the WMI Filters folder, you should see a DirectAccess – Laptop only WMI Filter.

Select this filter and you should have two queries. The first one, ending in PCSystemType = 2 limits the GPO to laptops only. Leave this query alone.

The second query, ending with OperatingSystemSKU – we need to edit this one.

If you’ve already added the Version like '10.%' remarks I mentioned earlier, skip to the next bullet. Otherwise, modify the query and add OR Version like '10.%' after either Version LIKE '6.2%' or possibly Version LIKE '6.3%' (if you modified the GPO for Windows 8.1).

On the same line, add OR OperatingSystemSKU = 125 at the end, right before the double parentheses.

My query is below, if you just want to copy and paste:

Select * from Win32_OperatingSystem WHERE (ProductType = 3) OR (Version LIKE '6.2%' OR Version LIKE '6.3%' OR Version LIKE '10.%' AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 72 OR OperatingSystemSKU = 84 OR OperatingSystemSKU = 125)) OR (Version LIKE '6.1%' AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 70 OR OperatingSystemSKU = 1 OR OperatingSystemSKU = 28 OR OperatingSystemSKU = 71))

So there you have it! Run a gpupdate /force on your fresh Win 10 LTSB laptop, and it’ll now get the GPO.

I suspect we’re going to see this issue become larger as more folks try this edition, so hopefully Microsoft will post about these new SKU numbers somewhere. For a breakdown of what these numbers actually mean, check out my colleague Jason’s post over at TechOnTip blog. He spent some time and did the hard work for you!